![]() Additionally, the copy of Certutil is disguised to avoid using the full string, by partially replacing it with an asterisk %systemroot%\system32\certut*.exe. The reason for this copy is to avoid endpoint detection and response (EDR) signatures based on system utilities executed from non-standard sources (a Microsoft Office document in this case). The Macro copies and renames the Microsoft legitimate executable Certutil.exe into this folder. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDebuggerPresent, GetCurrentProcessId, etc.įigure 2: YARA rules detections listed in the AT&T Alien Labs Open Threat Exchange, OTX.Īll files created by the executable and used by the different Macros are located in a new folder C:/Drivers with the purpose of masquerading their activity. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1.įigure 1: Concealing of MZ header, as captured by Alien Labs. Some of the files are split inside the Macro and are not combined until the time of decoding. The Macro has base64 encoded files, which are extracted and decoded during execution. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. General_motors_cars.doc: identified by Twitter user Airbus_job_opportunity_confidential.doc: identified by 360CoreSec.Rheinmetall_job_requirements.doc: identified by ESET Research.Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. There is a high emphasis on renaming system utilities (Certutil and Explorer) to obfuscate the adversary’s activities ( T1036.003).Lazarus has been identified targeting defense contractors with malicious documents.Alien Labs will continue to report on any noteworthy changes. The purpose of this blog is to share the new technical intelligence and provide detection options for defenders. However, historical analysis shows the lures used in this campaign to be in line with others used to target these groups. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |